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We present here three different approaches to the problem of modeling mathematically the con- 
cept of a nondeterministic mechanism. Each of these three approaches leads to a mathematical 
definition. We then show that all the three mathematical concepts are equivalent to one another. 
This insight gives us the option of approaching the wp formalism of Dijkstra from a different 
viewpoint that is easier to understand and to teach. 

Categories and Subject Descriptors: F.1.2 — Modes of Computation — Alternation and nondeterminism [F.O — Mis- 
cellaneous]: ... 

General Terms: Algorithms 

Additional Key Words and Phrases: choice set maps, convergence, continuity, uip-formalism. 



1. INTRODUCTION 

In his well-known book [Dijkstra 1976] Dijkstra speaks of his intention to present "a number of beautiful 
algorithms in such a way that the reader (can) appreciate their beauty" and do so "by describing the 
... design process that would each time lead to the program concerned". 

He then introduces the wp formalism. In his hands this becomes a powerful tool to carry out his 
agenda. Surely this methodology should be more widely taught and learned. Not only that, it is 
necessary to examine if it can be extended to cover the present programming paradigms. However, the 
wp formalism is hard to learn and use. One is therefore interested in exploring alternative approaches 
to the formalism that make it simpler to understand and easier to practise. In this article we show that 
the backward mapping predicate transformers that Dijkstra uses may be effectively replaced by forward 
mapping state choice maps. It becomes possible then to use the alternative approach suggested by the 
results of this paper to carry out his agenda in a different and perhaps more transparent manner. 
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2. THREE DEFINITIONS 

The mapcode approach to the understanding of computing concepts in the detcaniinistic case has hccn 
elaborated in [Viswanath 2006; 2008] and in the references cited there. This approach models a program 
as the repeated application of a self- map on a set, following [D.E.Knuth 2002], page 7. It has been shown 
[Viswanath 2008] that this generic model is sufficient to convey an understanding of many concepts 
ranging from machine language to neural networks. At the same time it is sufficiently practical to 
formulate many standard programs rigorously and prove their total correctness. 

It is necessary to extend this approach to the study of parallelism and concurrency. To this end it is 
necessary to first choose a mathematical model for nondeterministic programs. The mapcode philosophy 
suggests that we set aside for the time being the formal language problems of how to get a machine to 
do what we want it to do, and strive for clarity in the language of sets and maps as to what exactly we 
want the machine to do and why. 

We start with the concept of a state space X. This is the space of variables on which the computation 
takes place. As in the deterministic case we take the point of view that a generic nondeterminis- 
tic program consists of repeatedly invoking a nondeterministic mechanism till a stopping condition is 
met. Thus the focus shifts to the modeling of a nondeterministic mechanism. Looking at the question 
ab initio we show that there arc three natural viewpoints. Fortunately all three turn out to lead to 
equivalent mathematical structures. Wc are thus enabled to proceed with the theory of nondeterministic 
computation in subsequent articles basing ourselves on any one of the definitions studied here. 

The first approach is the simplest and the most natural. Given x & X, let A{x) denote a subset of 
X. We can model nondeterminism by requiring that if the current state is x, then the mechanism when 
invoked presents us with one of the states y in A(.t) in a finite amoimt of time. How exactly the state y 
is produced is hidden from us. It is observed in [Walicki and Meldal 1997] that this is the most common 
approach. 

Our second approach is the one suggested by Dijkstra [Dijkstra 1976]. In this approach the focus shifts 
from individual states to sets of states and from initial states to final outcomes. We ask the question: 
given a set A C X what is the set of all states for which if the initial state x £ IJ.{A), then the 

mechanism when invoked returns with certainty an outcome that is in A? If we knew n{A) for every A, 
then it is reasonable to feel that we have understood the mechanism well.^ 

Because the map fi : V{X) ViX) has been derived by a particular line of reasoning, it is auto- 
matically endowed with certain properties. For example, if ^4 C _B, then wc should have n{A) C ii{B). 
After all, if starting in i^{A) guarantees that we will move into A, it should also guarantee that we will 
move into B, because A C B. It is also reasonable to require that fj, should carry the empty set to the 
empty set. 

Let {Aj I j e J} be any collection of sets. If starting in iJ,{Aj) guarantees the outcome to be in Aj, then 

staring in n/i(Aj) should guarantee the outcome to be in HAj. So it is necessary that DniAj) C /i(nAj). 
Because OAj C Aj for all j, by the monotonicity property of /x just observed, the reverse inequality also 
holds. So we must have iJ.{(lAj) = n/i(Aj). 



^The symbol fi has been chosen to represent a multiplicative map. Later on, we use the symbol a to denote an additive 
map. 
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In the case of unions the monotonicity property imphes that U/x(Aj) C ^[[jAj). A httle reflection 
shows that the reverse inequahty need not hold. Given a state x one may be able to guarantee that the 
outcome y is in the union, though y may not be uniquely determined by x. It is possible that y could 
belong to one Aj on one invocation of the mechanism and in another Aj for another invocation. So we 
may not be in a position to say that the outcome y will definitely be in one of them. 

In the discussion above, we used the monotonicity property to establish the intersection preserving 
property. It is possible to show, and wc shall do so later, that the intersection preserving property 
implies the monotonicity property. So let us choose the defining properties of /x to be /x(0) = and 
IJ,{nAj) — DniAj). fi is our second definition for a nondeterministic mechanism. 

The third approach is similar to the second. Now we ask: given a set A what is the set a{A) of all 
states with the property that we can guarantee that at least one of the outcomes will be in Al (Earlier 
wc wanted every possible outcome to be in A, now wc only ask for at least one outcome in A.) Repeating 
the thought processes that led us to derive the properties of jjL it is not diflicult to conclude that a should 
carry the empty set to itself and preserve arbitrary unions. 

In the rest of the article we shall study these three definitions mathematically and show how they 
relate to one another and to Dijkstra's theory. 



3. CHOICE SET MAPS 

In what follows X denotes a non-empty set called the state space. T'{X) is the powerset of X. denotes 
the empty set. A will denote an arbitrary subset of X and {^4^} will be an arbitrary collection of subsets 
of X. The symbol = may be read as 'is defined to be'. 

Definition 3.1. A map A : X — > 'P{X) is called a choice set map on X. A(a;) is called the choice 
set at X. The pair (X, A) is called a choice structure. □ 

Suppose (X, A) is a choice structure and AC X. 

Definitions 3.2. (1) x G X is called a dynamic element of A if A{x) ^ 0; otherwise it is called a 

static element. The set of all dynamic elements of A is denoted by dyn{A). 

(2) A-^{A) = {a; I 9^ A(x) C A}. A-^{A) is called the inverse image of A under A. A-^{y) = 
A-i({y}). Note that A'^ : V{X) r{X). 

(3) A~^{A) = {x I A(a;) f^ A^%}. A~^{A) is called the weak inverse image of A under A. A~^{y) = 
A-\{y}). Note that A"! : V{X) ^ V{X). □ 

The examples in Section 6 may be studied in conjunction with the theory being developed here to 
help understanding. 

Remarks 3.3. Given X, A, A and {Aj} we have: 

(1) A-i(0) = = A-i(0). 

(2) A-i(A) C A-i(A) C dyn{A). 
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(3) A-\n,A,) = n,A-\A,) and A-i(UjA,-) = U,A-^{A,). 

(4) A-i(A) = dyniA) \ A~\A'') and A-\A) = dyn{A) \ A-^{A'') □ 

4. MULTIPLICATIVE AND ADDITIVE MAPS 

Definition 4.1. Suppose ji : V{X) —> V{X) is a map such that /x(0) = and for any {Aj}, 
fi{r\jAj) = r\jn{Aj). Then n is said to be a multiplicative map. n{x) = ^{{x}). □ 

Remark 4.2. If A is a choice set map on X then A~^ is a multiphcative map. □ 

Theorem 4.3. Suppose ^ is a multiplicative map. 

{!) IfAi C A2 then ii{Ai) C /i(^2) • 

{2) Uj/Lt(Aj) C /z(UjAj) /or all {Aj}. Equality need not hold. 

(3) There exists a unique choice set map A on X such that n = A~^. 

Proof 

(1) The monotonicity property holds because Ai <Z A2 ^ Ai — Ai Ci A2 ^ m(^i) = ^ ^(^2) ^ 

C f,{A2). 

(2) The inchision relation follows from the monotonicity property above. To see that equality need 
not hold, let X = Z, the set of integers, and suppose A(a;) = {±a;} for all a; S Z. We then have 
A-i([0 : 00)) = {0} and similarly A-i((-oo : 0]) = {0}, but A-\Z) = Z. 

(3) Suppose fJ,{X) = B. By the monotonicity property AC X ^ l^-iA) C B. Also, for any x £ B, there 
is at least one A C X such that x £ n{A), namely A = X. Suppose 



A{x) 



n{A I X G if x G B; 

0, if a; ^ B. 



Let X G B. We show that then x G ^{A{x)). This proves incidentally that A(a;) 7^ if and only 

if x G -B so that dyn{A) = B. By the multiplicative property fj,{A{x)) = /;,(n{^ | x G ^(A)}) 
= ri{iJ,{A) I X G l-i{A)}. Clearly x is in the set on the right hand side of the above equality. So 
X G i^{A{x)). 

Let ^ C X. By definition of A(a;), x G fJ,{A) ^ 9 =^ A{x) CA^xE A-^{A). So C A-^{A). 
Suppose next that x G A~^(^). Then ^ A(a;) C A. By the monotonicity property of /U this 
implies that /u(A(a;)) C iJ,{A). We have already seen that x G /i(A(a;)). So a; G niA). This shows 
that A-i(^) C 

Combining the last two observations above we see that /U = A~^. 

To prove the uniqueness of A suppose there are two choice set maps Ai and A2 such that Aj"^ 

= 11 = A^\ We have then dyn{Ai) = A^'^{X) = A^^(X) = dyn{ A2) = B, say. 
If X ^ B, Ai{x) = = A2(x). Suppose X G B. Let Ai(x) = Ai, A2(x) = A2. Thenx G A~^{Ai) ^ 
X G A2 ^(^1). So A2(x) C Ai, or A2 C By symmetry A^ C A2. Hence Ai(x) = A2(x) for all 
X G B also, so that Ai = A2. □ 

One can have a characterization of the A~^ map as of the A~^ map by introducing the notion of an 
additive map as below. 
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Definition 4.4. Suppose a : V{X) ^{X) is a map such that a(0) = and for any {Aj}, 
a(UjAj) = \Jja{Aj). Then a is called an additive map. a{x) = a{{x}). □ 

The proof of the next theorem is left to the reader. 

Theorem 4.5. (i) Suppose n is a multiplicative map, fJ,{X) = B, and for any A, a^(A) = 
Then is an additive map. 
(2) Suppose a is an additive map, a{X) = C, and for any A, fia{A) = C \ a{A^). Then Ha is a 

multiplicative map. 
i^) l^a^ = M o,nd a^^ = a. 

{4) If n = then = A'^ If a = A-^ then = A-^ □ 
The next theorem gives the properties of additive maps. 
Theorem 4.6. Suppose a is an additive map. 

(1) If Ai C A2 then a{Ai) C ^(Aa). 

{2) a{n-^Aj) C C\ja{Aj) for all {Aj}. Equality need not hold. 

(5) There exists a unique choice set map A on X such that a = A~^. 

Proof 

(1) The monotonicity property holds because Ai C A2 ^ A2 — Ai U A2 ^ C({A2) = a{Ai) U 0(^2) 
a{Ai) C a{A2). 

(2) The inclusion relation follows from the monotonicity property above. To see that equality need 
not hold, let X = Z, the set of integers, and suppose A(a;) = {±a;} for all x G Z. We then have 
A-i([0 : 00)) = Z and similarly A-i((-oo : 0]) = Z, but A-i({0}) = {0}. 

(3) Let C = a{X). By the monotonicity property AC X ^ oi{A) C C. Suppose 

^ j {y\x€ a{y)}, if x e C; 

if X ^ C. 



A{x) 



Notice that C = a{X) = Uy^xoc{y). So if x G C there is at least one y £ X such that x € a{y). 
This proves that A(x) 7^ if and only if x € C so that dyn{A) = C. 

Let A C X. Then x G a{A) ^ there exists y G A such that x € (x{y) there exists y € A{x)nA <^ 
A(x) nA^^^xe A-\A). So a{A) = A-\A). 

To prove uniqueness, suppose there are two choice set maps Ai and A2 such that (Ai)~^ = a = 
(Aa)-!. In particular then dyn{Ai) = (Ai)-i(X) = (A2)-i(X) = dyn{A2) = C, say. 
If X ^ C, Ai(x) = = A2(x). Suppose x G C. Then y G Ai(x) x G {Ai)-^{y) ^ x G 
{A2)-^{y) ^ A2(x) n {y} ^ ^ y G A2(x). So Ai(x) C A2(x). By symmetry A2(x) C Ai(x). 
Hence Ai(x) = A2(x) for all x G C, so that Ai = A2. □ 



The results proved so far show that 



(1) There is a one-to-one correspondence between choice set maps and multiplicative maps. 
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(2) There is a one-to-one correspondence between multiplicative maps and additive maps. 

(3) There is a one-to-one correspondence between additive maps and choice set maps. 

(4) The three correspondences commute. 

Suppose {A„) is a sequence of subsets of X. Recall that lim sup An = n„(Ufe>„Afe) and lim inf An = 
Un(nfe>„Afe) and that if both are equal the common value is called lim An- If (A„ |) denotes a 
monotone increasing sequence of subsets of X then lim An = UA„. If {An i) denotes a monotone 
decreasing sequence of subsets of X then lim An = n^„. is said to be a convergent sequence if 

lim^„ exists. 

Definition 4.7. A map a : V{X) ViX) is said to be continuous if a{lim An) = lim cr(A„) for 
all convergent sequences {An). 

Remarks 4.8. (1) a : V{X) ^ V{X) is continuous if and only if a{lim An) = lim cr(A„) for aU 
monotone sequences {An). 

(2) The continuity spoken of here is continuity in the space of sets V{X). It needs to be studied how 
this is related to the concept of continuity in denotational semantics [D.A.Schmidt 1986]. □ 

Theorem 4.9. Suppose n, a, and A correspond to one another. The following are equivalent. 

{1) PL is continuous. 

[2) a is continuous. 

(3) A{x) -IS finite for all x & X . 

Proof : We have seen earlier that = a{X) = dyn{A). Let this set be denoted by B. We first 

show that statements (1) and (2) are equivalent. 

Since /i is multiplicative it preserves limits of monotone decreasing sequences. So /i is continuous if 
and only if it preserves limits of monotone increasing sequences. The situation is just the other way 
round for a because ^ and a are related by the equality a{A'^) = B \ ij,{A). 

So iJ, is continuous <^ ^(U^n) = U/^(A„), V (A„ T) ^ -B \ At(UA„) = B \ U/z(A„), V {An T) 
a{nA^) = na{A^), V {An t) Q!(nS„) = na(B„), V {En i) <^ a is continuous. 

We next show that (1) and (3) are equivalent. For this it is enough to show that A(a;) is finite for all 
X if and only if preserves limits of increasing sequences of sets. 

Suppose A(a;) is finite for all x G X and let {An t)- By Theorem 4.3 we have U(A~^(A„)) C 
A~^(UA„). To prove the opposite inequality suppose x € A~^{UAn). Then A(x) C UA„. Since A(a;) 
is finite and A„'s are monotone, there exists m such that A(a;) C A^- So a; G A~^{Am) Q U(A~^(A„)). 

To prove the converse, suppose A(a;) is infinite for some x, say A{x) = 2/2, • ' •}• Let An = 
{yi, 2/2, • • • , Un}. Then, whatever be n, A{x) %An so that x ^ A^^(A„) and hence x ^ UA~^(A„). But 
X e A~^(uA„). So A~^ is not continuous. □ 
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5. CONVERGENCE 

Definitions 5.1. Suppose A, Ai, and A2 are choice set maps on X. 

(1) For A C X, A(y4) = U{A(a;) | a; € A}, if A 7^ 0; and A(0) = 0. 

(2) For X £ X, (A2 o Ai)(a;) = A2(Ai(a;)). A2 o Ai is a choice set map on X called the composition of 
A2 with Ai. 

(3) A°(x) = [x] so that A°(A) = A for any A C X, and recursively for fc > 1, A*^ = A o A'=-i = 
A'^-IqA. □ 

Definitions 5.2. Let A be a choice set map on X. 

(1) fix{A) = {x I A(a;) = {x}} is called the set of fixed points of A. 

(2) stab{A) = {x I A"(a;) C dyn{A) for all n > 0} is called the set of stable points of A. 

(3) con(A) = {x \ x E sia&(A), A'^(x) C fix{A) 3 fc > 0} is called the set of convergent points of A. 

(4) con^(A) = {x I A'^(x) n fix{F) ^ 3 fc > 0} is said to be the set of weakly convergent points of A. 
□ 

Remarks 5.3. (1) fix{A) C con{A) C con^{A) nstab{A). 

(2) A'^ix) n fix{F) C A'=+i(a;) n fix{F) for fc > 1. 

(3) A-^{stab{A)) C stabA. □ 

The definitions of convergence and weak convergence given above arc conceptually easy to understand 
but verifying convergence using these definitions is not convenient in practice. So we give below a more 
practical characterization of convergence. 

Definitions 5.4. (1) If y S A(a;) we write x ^ y and say that x maps to y. ^ defines a binary 
relation on X. 

(2) For n > 1 , a finite sequence {xq , , ■ • • , of elements of X is called a run of length n starting at xq 
and ending at Xn \i xq ^ x\ 1— > • • • 1— > a;„. In this case Xi G A(a;o), X2 € A(a;i), • • • , a;„ € A(a;„_i). 

Also Xn e A"(a;o). 

(3) If (xojCCi, • • • ,x„) is a run we write xq h^* Xn and say that Xn is reachable from xq. It may be 
observed that h^* is the transitive closure of 1— 

(4) If (xo, Xi, . . . , Xn) is a run and < m < n then {xo,x\,. . . , Xm) is also a run. In such a case, we say 
that {xo,xi, . ..,Xn) is an extension of (^tq, Xi^ • • • ? ^m)* 

(5) A run is said to be aborted if it ends in a state that is not in dyn{A); that is, if it has no extension. 

(6) A run is said to be terminal if it ends in a fixed point of A. If {xo,Xi, ■ ■ ■ , Xn) is a terminal run and 
m is the least positive integer such that Xm € fix{F), then Xm = Xm+i = ■ ■ ■ = a;„. □ 

Theorem 5.5. Suppose A is a choice set map on X and x £ X. 

{1) X e con(A) if and only if 
(a) there are runs at x; 
(6) every run at x can be extended; 
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(c) there exists k > 1 such that every run starting at x of length k or more is a terminal run. 
{2) X G conw(A) if and only if there exists a run starting at x that is terminal. 

Proof 

(1) Suppose that x G con(A) so that A"(a;) C dyn{A) for ah n > 0, and A'^{x) C fix{F) for some 
fc > 1. We need to prove (a), (b), and (c). 

Since x € dyn{A), A(x) is not empty. Let y € A(a;). Then {x,y) is a run. So there are runs at x. 
This argument can be repeated with the last element of the run replacing x above. This shows that 
any run at x can be extended. 

Consider any run (a;, xi,X2, ■ ■ ■ , Xk) of length k. Then Xk € A'^(a;) C fix{F). Hence it is a terminal 
run. 

Conversely assume that x satisfies (a), (b) and (c). Since there are runs at x, x € dyn{A). Since 
every run at x can be extended it follows that A"(a;) C dyn{A) for every n > 0. So x is stable. 
Let k be given by (c). We need to prove that A''{x) C fix{F). Let Xk G A'^(a;). Since k > 1, 
A'^(x) = A{A^~^{x)). So there exists Xk-i S A*^~^(x) such that Xk S A(a;fc_i). Continuing in this 
way we can construct a run (x, xi, • • • , Xk). Since this nm has length k it is terminal. So Xk S fix{F). 
Since Xk was chosen to be an arbitrary element in A''{x) it follows that A'^(a;) C fix{F). 

(2) Suppose X G conyj{A). Then there exists fc > 1 such that A'^(a;) n fix{F) ^0. So there ex- 
ists an clement Xk G A'^(.t) n fix{F). Since Xk G A'^(a:) = A(A'^~^(a;)) and A; > 1, there exists 
Xk-i G A'^~^{x) such that Xk G A(a;fe_i). Continuing inductively we get a sequence Xi,l < i < k 
such that X 1-^ Xi ■ ■ ■ 1-^ Xk G fix{F). Its length is k. 

Conversely assume that there exists a terminal run starting at x of length k. Then there exist Xi, 
1 <i < k, such that x ^ xi ^ ■ ■ ■ i-^ Xk & fix{F). Then Xk G A''(a;). Hence A*(a;) n Jix{F) ^ 0. 
□ 

Let A be a choice set map on X. We had observed in Remarks 5.3 that the sequence of sets A^{x) PI 
fix{F) is monotonically increasing. 

Definition 5.6. Let (X A) be a choice structure. For any x e X define A°°{x) = U {A''{x) n 
fix{Fj). The choice set map A°° is called the limit map of A. Elements of A°°{x) are called the limit 
points of A at X. □ 

Remarks 5.7. (1) fix{A°°)=fix{A). 

(2) A°°{x) ^ {y : x h^* y,y G fix{F)}. Those arc the points of fix(F) that are reachable from x. 

(3) X G con(A) if and only if every run at x when sufficiently extended ends up in fix{A). The set of 
all such reachable points of fix{A) is precisely A°°(a;). 

(4) x G conn^iA) if and only if A°°(.x) ^ so that dyn{A°°) = con^(A). 

(5) Suppose A(x) is finite for all x. If a; G con{A) then there exists fc > 1 such that A'^(a;) C fix{F). In 
such a case A*^ {x) = A°° {x) . In particular A°° {x) is finite. So it is impossible to have a convergent 
choice structure with A(a;) finite and A°°{x) infinite for x G X. It is this fact that Dijkstra is 
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pointing out when he says [Dijkstra 1976] that there can not exist a program that says "set x to 
any positive integer". Example 6.3 illustrates this point further. □ 

Definition 5.8. For any A C X the set has{^,A) = {a; e con(A) | A°°(a;) C A} is called the hasin 
of A with respect to A . □ 

Remarks 5.9. (1) Recalling Definition 3.2 we see that has{A,A) = con{A) n {A°°)-'^{A) for all 
ACX. 

(2) It is not true that 6as( A, A) = (A°°)-i(A) foralM C X if con( A) ^ con^(A). For let a; e conu,(A)\ 
con(A) and take A = fix{A). Then A°°{x) C A so that x G {A°°)-'^{A) but x ^ bas{A, A). □ 



6. EXAMPLES 



Example 6.1. Suppose X is any set and A(a;) = for all x. Then dyn{A) = fix{A) = 0, A~^(A) = 

A~^{A) = for all ACX, and A'^(.t) = for all x E X. No state maps to any state nor yields any 
state. There are no runs, no stable points, no convergent points and no weakly convergent points. So 
stab{A) = con{A) = conw{A) = 0. Also A°°{x) = <D, x £ X and bas{A,A) = for every AC X. A 
may be identified with the abort command. □ 



Example 6.2. Suppose X is any set and A(x) = {x} for all x C X. Then dyn{A) = fix{A) = X, 
A~'^{A) = A^^{A) = A for all A e 'P(X), and A''(a;) = {a;} for all x. Every clement maps only to 
itself and yields only itself. Every run is of the form (a;, a;, • • • , x) and is terminal. Every clement yields 
only itself. So stab{A) = con{A) = conu,(A) = X. A°°{x) = {x} for all x €X. bas{A,A) = A for all 
A e 'P{X). This structure may be identified with skip, because leaves everything unchanged. □ 



Example 6.3. Suppose X is any infinite set and A(a;) = X for all x. Then , dyn(A) = stab{A) = X, 
fix{A) = 0. A-i(X) = X and A-\A) = 0, if A ^ X. A-^{A) = X ii<D ^ AC X. Af'ix) = X for 
all X <E X and fc > 1. Every clement maps to every other clement and yields every other clement. Any 
finite sequence of elements of X is a run and no run is terminal. There are no convergent points or 
weakly convergent points, so that con(A) = = con^(A). A°°(a;) = for all a; G X. bas{A, A) = for 
every A G 'P(X). □ 



Example 6.4. Suppose F : X ^ X is a map and A(a:) = {F{x)} for all a: G X. We call A a 
deterministic map. In this case dyn{A) = X, stab{A) = X. fix{A) = fix{F), and all the definitions 
we have given above reduce to the corresponding definitions for the deterministic fiow (X, F) as given 
in [Viswanath 2008]. We have A'=(a;) = {F''{x)} for all x and k. con(A) = con^{A) = con{F). 
A-i(A) = A-i(A) = i^-i(A) for all A G V{X). Further A°°(a;) = {F°°{x)] for all x G con(F), and 
bas{A, A) = Ufe>oF-'=(A n fix{F)). □ 



Example 6.5. Let X = l\l and suppose A is a choice set map on IN defined by 

r{G}, ifa= = 0; 

~ \ {a;- l,a; + l}, ifa;>0. 



Then dyn{A) = stab{A) = IN and fix{A) = {0}. If a; > 0, (a;, a: — 1, x — 2, • • • , 0) is a terminal run of 
length x. It follows that every state is weakly convergent. 
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It may be noted that for any x and n > 0, a run of the form {x,x + 1, x + 2, • • • , a; + n, a; + n — 
1, ■ • • , x, x — 1, a; — 2, • • • , 0) is also terminal with length x + 2n. So there exist arbitrarily long terminal 

runs at any x. At the same time for any x, [x, a:; + 1, a:; + 2, • ■ • , x + n) is a nonterminal run for every n. 
So there also exist arbitrarily long nonterminal runs starting at every x > 0. It follows that no state is 
convergent except 0. 

For this example con(A) = /zx(A) = {0} and con^(A) = X. A°°(x) = {0} for all x e IM. 6as(A, A) = 
{0} G A □ 

Example 6.6. In this example we show that the sets (i2/n(A), sta6(A), con(A), con^(A) can all be 
different. Let X = T. and suppose A is defined by 

{x-2,x + 2}, ffx>0,X7^2; 
A(x)= <( {2}, ifx = 2, 

ifx<0. 

Then (iyn(A) = IN, stab{A) = 2IN\{0}, and /zx(A) = {2}. If x > is an odd number, A'=(x) contains 
only odd numbers and hence A'^(x) fl /ix(A) = for every k >0. 

If a; = 0; (0, 2) is a terminal run of length 1. If x > is even, (.x, x — 2, x — 4, • • • , 0) is a terminal run 
of length x/2. It may be noted that (0, —2) is an aborted run. For any x > 2, x even, and n > 0, a run 
of the form (x, x + 2, x + 4, • • • , x + 2n, x + 2n — 2, • • • , x, x — 2, x — 4, • • • , 2) is a terminal with length 
2n+ (x/2) — 1. So there exist arbitrarily long terminal runs at any even x,x > 2. At the same time for 
any such x, (x, x + 2, • • • , x + 2n) is a nonterminal run for every n. So there also exist arbitrarily long 
nonterminal runs starting at every even x > 2. 

It follows that con^(A) = 2M and con(A) = {2}. A°°(x) = {2} for ah x G 2IN. bas{A,A) = {2} <^ 
2 G A and bas{A, A) = <^ 2 ^ A. □ 

Example 6.7. In the above example we saw that there exist x G X such that there could be terminal 
runs of arbitrary length starting at x. However all of the runs end up in the same final state. The present 
example [Dijkstra 1976] is one where there are terminal runs of arbitrary length that start at the same 
state but end up at different states. 



Let X = M X {0, 1}. Define A by 

^ \ {(x,0)}, if 2/ = 0. 



It is left to the reader to check that fix{A) = con{A) = M x {0}, stab{A) = conyj{A) = X, 
A°°(x, 0) = {(x, 0)} and A°°(x, 1) = {(x + n, 0) | n > 0}. □ 



7. DIJKSTRA'S IF AND DO CONSTRUCTS 

After describing the concept of a state and introducing the state space (which we have called X) Dijkstra 
[Dijkstra 1976] (p. 15) introduces the notion of a nondeterministic machine. He says that "activation (of 
such a machine) in a given initial state will give rise to one out of a class of possible happenings, the 
initial state only fixing the class as a whole" . We have interpreted this statement to mean that for every 
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a; G X we are given a set A(a;) <Z X such that if x is the initial state, then A(a;) is the set of aU possible 
happenings when the nondeterministic machine is invoked once. Thus a choice structure {X, A) is our 
model for a nondeterministic machine. 



However, even after almost defining a choice structure, Dijkstra does not formalize nondeterminism 
in this way. He says that "the design of such a system is a goal-directed activity, in other words that 
we want to achieve something with that system." What wc want to achieve is a "post-condition" . That 
is to say after the machine is invoked we want to insure that the resulting state belongs to a certain set 
A G X. He then says that "we should like to know .... the set of (all) initial states such that activation 
will certainly result in a properly terminating happening leaving the system in the; final state; satisfying 
the post-condition". In our notation this is A~^{A). This set he calls the "weakest pre-condition" and 
denotes it by wp {S,A), where S is his notation for the mechanism. Without giving a definition of S 
directly he wants to characterize it by the map A wp {S,A). He shows that, as we have done in 
Section 2, that this map is multiplicative in A. So, for Dijkstra, every nondeterministic mechanism is 
given by a multiplicative map. In our notation we shall henceforth take wp (A, A) to be the same as 
A-\A). 

We need now to connect the theory of nondeterminism developed so far using A to the theory that 

may be developed using A"-'^. Before doing that, wc shall define the structures IF and DO directly 
in terms of choice set maps and derive the two main theorems about them to show how simple the 
definitions and proofs are in our approach. 



A patch on X is a pair {D, F) where D C X and F : D ^ X [Viswanath 2008]. A patch {D, F) can 
be interpreted to be a guarded command. Its action is first to check if a given state x is in D. If it is, 
X is changed to F{x). If it is not, then no action is taken^. 



Definitions 7.1. (1) A quilt Q is a collection of patches: Q = {{Di.Fi), {D2, F2), • • • , {Dk, Fk)}. 
(2) Given a quilt Q let D = Ui<,<fc£>i and define the choice set map Ag by 

A ( \ _ ( \ X £ Di for some i} if a; G D; 

^^^^^ ~ \ {x}, ifx^D 



By definition, Aq{x) ^ for ah x € X. So dyniAg) = X. What about fixiAq)! Clearly 
D'^ C fix{AQ). There could be points of D also in fix{AQ). Let E={x&D\x&Di^ Fi(x) = x}. 
Then E C fix{AQ) and in fact fix{AQ) = D'^L) E. It is to be noted that the set E is not mentioned 
explicitly by Dijkstra. 



Definition 7.2. Let Q be a quilt as above let D = Ui<i<kDi. The choice structure Ajp is defined 
by 



ifx^D 

□ 



■^In Dijkstra's definition of a guarded command (D, F) the map -F is taken to be a global map, for certain technical reasons 
which do not concern us here. 
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We then have dyn{AjF) ~ D and fix{Aip) — E. 

The "basic theorem for the alternative construct" takes the following form. The proof follows imme- 
diately from the definitions of Aq and A/^. 

Theorem 7.3. Let A,BCX be such that ACD, and Fj{AnDj) C B for all j. Then Aif{A) C B. 

Next, let us consider the repetitive construct DO. It seems natural to define it by either Ag or Afp. 
However, Dijkstra does neither, for two reasons. The first is that he does not want the points that are 
weakly convergent for Aq, but not convergent, in the domain of DO. Secondly, he does not consider 
the computation terminated unless the state enters D''. This means that if the state finds itself in the 
set E then, even though it is a fixed point, for both Aq and Ajp, the computation is not considered 
to terminate: The points of E should be considered to be the points where the computation "hangs" . 
To construct a properly terminating program guaranteeing an outcome in D'^ we need therefore to take 
away from d,yn{AQ) all the points that arc weakly convergent but not convergent, and also all those 
points that end up in E. This means that wc need to restrict ourselves to the set bas{AQ, D'^). By 
Remark 5.9 this is the set con{AQ) n {Aq)~^{D'^). We have then the following definition. 

Definition 7.4. Let a quilt Q be given as above. Then the choice structure Ajjo is defined by 



Clearly dyn{ADo) = bas{AQ,D'') and fix{ADo) = D". Also Ado(^) ^ D". 
The "fundamental invariance theorem for loops" takes the following form. 

Theorem 7.5. LetV CX be such that Aif{V DD) CV. Then AooiV D con{AQ)) CVnD''. 

Proof Since Ajp = Aq on D we are given that Aq{V D D) CV. 

Let X E V n con{AQ)). If a; e D'^ there is nothing to prove. So let x G D. Since x S con{AQ) there 
exists fc > such that A'^(a;) = Aq{x). Let y € A''{x). Then y E D" and there exists a run x = 
xo,xi, • ■ ■ ,Xk — y. Let j be the least integer such that Xj G D'^. Then Xj — y and xq, xi, • • • , Xj-i S D. 
So we have successively 




□ 



xoCV r\D xi = Aq(xo) eV (^D 

X2 = Aq(xi) e y n£) 



Xj-x = Aq(.xj_2) g V n d 

Xj = AQ{xj-{) € y n 



The theorem is proved. 



□ 



We have thus seen that using the formalism of choice set maps it is very easy to understand the 
structures IF and DO. We now need to prove that our definitions coincide with Dijkstra's. 
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Let us consider IF first, and let us consider the special case when there is only one patch {D,F). In 
this case wp {F, A) is described on p. 17 of [Dijkstra 1976] by the following sentence (notation changed): 

"If the initial state satisfies wp (F, A), the mechanism is certain to establish eventually the truth of A" . 
This means that ii x e wp {F,A) then F{x) e A. Or wp {F,A) = F^^{A). 

Consider next the case of a general quilt Q as above. Then 

AJ^{A) = {x I ^ A,;.(a;) C A} 
= {x eD\ Aif{x) C A} 
= {x € D \ x G Di ^ Fi{x) e A} 
= Df){x\xeDi^xe Fr'^{A)} 
= Dn{x \ x G Di=> x Gwp {F, A)} 



But this is exactly the definition of wp {IF, A) on p.34 of [Dijkstra 1976]. So wp (IF, A) = Ajp{A) 
for all ACX. 

For the DO construct also we need to show that A^q(^) = wp {DO, A) for all ^ C X. This takes 
some hard work. By Definition 7.4 we see that A~lj]j{A) = bas{AQ, A D D^). So wc need to show that 
bas{AQ,A n D'^) = wp {DO, A). For this purpose, we need to first characterize the set bas{A,A) in 
terms of iterates of for any choice set map A and for any ACX. 

Definition 7.6. Given a choice set map A and ACX, A~'=(^) = (A~^)'=(A) for fc > 1 and 
(A-i)0 = AO. □ 

It is natural to ask ourselves at this stage how (A"^)*^ is related to (A'^)"^. First of all we note that 
they need not be equal. 

Example 7.7. Let X = {a,b,c}, and let A(a) = {b,c}, A{b) = 0, A(c) = {c}. Then A'^{a) = {c}, 
so that a G {A'^)-\c). But {A-^)^{c) = A-^{c) = {c}. □ 

We have the following result. 

Lemma 7.8. Let A be a choice set map on X, AC X, and fc > 0. Then 

{!) {A-^f{A)C{A'^)-\A); 

{2) {A^)-^{A) n stab{A) C {A-^ f{A). 

Proof We prove the theorem by induction on k. 

(1) For fc = 1 equality holds. Assume the result for k. 

X e {A-^f+^{A) ^ ^ A(a;) C {A-^f{A) 
^ 0^ A(a;) C (A*=)-i(A) 
^ %^A''+^{x)CA 
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X e (A'=+i)-i(A) 

Hence (A-i)*=+i(A) C (A*=+i)-i(A). 
(2) For A; = 1 the relation holds. Assume that (A*=)-i(^) n stab{A) C {A-'^)''{A). Then 

X G (A'=+i)-i(A) n stab{A) ^ xe stab{A) and ^ A'=(A(a:)) = A'=+i(a;) C A, 

^ X e stab{A) and ^ A''(y) C A for every y G A(a;) 
^ a; e stab{A) and y G (A'')"-^(A) for every y G A(x) 

a; G stab (A) and y G (A'')~^(A) n stab{A) for every y G A(a;) 
^ a; G sto6(A) and y G (A"^)''(A) for every y G A{x), 
^0 7^ A(a;) C (A-i)'=(A) 

xG (A-i)('=+i)(^) 

This proves that (A'=+i)-i(A) n sto6(A) C (A-i)'=+i(A). □ 

Remark 7.9. It follows from Remark 5.3 that A~'' {stab{A)) C stab{A), for fc > 0. In particular 
A-'=(/ix(A)) C sia6(A), for fc > 0. □ 

Theorem 7.10. ForanyACX, bas{A, A) = Uk>oA-''{Ar\ fix{A)). 

Proof It is enough to consider the case A D fix{A) ^ 0. 

Suppose X G 6as(A, A). Then x G con(A) C sta6(A), and there exists fc > such that ^ A°°(a;) = 
A'=(a;) C ^ n /za;(A). This implies that x G (A'=)-i(A n /za;(A)) n sta&(A) C {A'^fi^A n /za;(A)) and 
hence x G A~'=(A n fix{A). 

So 6as(A, A) C Ufe>oA-'=(^ n fix{A)). 

Conversely, suppose x G A~''{A n fix{A)) for some A: > 0. By the remark 7.9, x G sia6(A) also. 
Since {A-'^)''{An fix{A)) C (A'=)-i(yl n /ia;(A)), we have A'=(a;) C Ar]fix{A). Then x G con(A) and 
A°°(a;) = A*^(x) C ^ so that a; G 6as(A,^). So Ufe>oA-'=(^ n fix{A)) C 6as(A, A). 

This proves that bas{A, A) = Ufe>oA-'=(A n fix{A)). □ 

To complete the connection to Dijkstra's wp formalism we need to connect the map A^q with the 
iterates of Ajp. 

Lemma 7.11. Let AC X. Define Ho{A) = AnD'', and for k > 0, Hk+i{A) = wp {IF,Hk{A)) U 
Ho{A). Then Aq'' {ADD") = Hk{A) for all k>0. □ 

Proof Note first that if x G Ho{A), then Aq(x) = {x} C AnD" so that Ha{A) C Aq'^{A n D""). By 
the monotonicity property of multiplicative maps we have Hq{A) C Aq''{A fl for all fc > 0. 

For fc = we have Ho{A) =AnD'' = {Aj^)°{AnD''). Assume that Ag'^iAnD'') = Hk{A) for some 
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k. Then 

X G Hk+i{A) ^ X ewp {IF, Hk{A)) or a; e Ha{A) 
^ x€ {AiF)-\Hk{A)) 01 xe Ho{A) 

X € D and Aif{x) C Hk{A) ot x € Ho{A) 
^ xeD &nd Aq{x) C Aq''{A D D") or a; e Ho{A) 
^ a; e £> and a; e Aq^{Aq^{A n D")) or a; e Ho{A) 
^ a;e A-('=+^)(An£)"). 

This proves the lemma. □ 

Theorem 7.12. A-^(A) = wp {DO, A) for all A<ZX. 

Proof For the proof we only need to collect our earlier results and see the definition of wp {DO, A) on 
p.35 of [Dijkstra 1976]. 



A-^\,{A) = bas{AQ,AnD-) 
= Uk>oAQ\AnD') 
= Uk>oHk{A) 
= wp {DO, A) 

This proves the theorem. □ 
8. CONCLUDING REMARKS 

Dijkstra [Dijkstra 1976] introduces the notion of a nondeterministic mechanism acting on a state space 

X but docs not define the notion. Rather he says that such a mechanism induces a set action that 
we have denoted by fj, and that the action characterizes the mechanism. We have shown that /x is 
determined by a choice set map and that the backward acting n is equivalent to the forward acting A. 
Thus this article presents an alternative approach to the imdcrstanding of Dijkstra's formalism. We 
have also shown that there is a third way and equivalent way of defining nondeterminism that is dual 
to that of Dijkstra, in terms of additive maps. 

Our approach also suggests there is a weak convergence related to additive maps that could operate in 
nondeterministic mechanisms. In subsequent articles we shall choose the choice set map as our primary 
way of modeling nondeterminism and present an exposition of the design of algorithms as suggested 
by Dijkstra, and also the standard concepts of computability, complexity, witness certificates and other 
such ideas studied in a standard course in the theory of computation [Lewis and Papadimitriou 2005] . 
It turns out that weak inverses of choice set maps have an important role to play. 
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